Privacy Policy

Version date: 29 May 2019 

1. Introduction

2M Consultancy (herein referred to as “2MC”) takes the protection of your data very seriously and always processes your data in line with statutory data protection regulations. This privacy notice is designed to provide you with an overview of how we process your data and of your rights in this connection. Your relationship to our organisation primarily determines what data in particular is processed or used by us. For this reason, some parts of this privacy notice may not apply to you.

2. Data Controller and Data Protection Officer

Responsibility for the processing of your personal data lies with:

2M Consultancy Ltd
One Cranmore Drive
Shirley
Solihull
B90 4RZ
United Kingdom

T: +44 203 735 9020
E: info@2mc.co

You can reach our data protection officer at:

2M Consultancy Ltd
Unit 424, Metal Box Factory
30 Gt. Guildford Street
London
SE1 0HS
United Kingdom

T: +44 203 735 9020
E: info@2mc.co

3. How we collect your personal data

We process personal data that we receive from you when you contact us or use our website, in particular when you show interest in our consulting, resourcing, learning and inspection services.

We also process personal data that we legally acquire from public domain sources or that are legally transmitted to us by other organisations of the TÜV Rheinland Group or third parties (e.g. network providers, building owners, previous tenants, facility managers, commercial credit agencies).

Relevant personal data include:

• Personal identification and contact details (e.g. title, name, address, date of birth, email address, telephone number);
• Payment data (e.g. account details);
• Data arising from the fulfilment of our contractual obligations, (e.g. risk and safety management consulting, recruiting contract staff, delivering training services, inspecting client sites);
• Data about your online behaviour and preferences (e.g. IP addresses, identifying features of mobile end devices, data about access to our websites and apps, geolocation data);
• Data for communication with you (e.g. by letter or email);
• Advertising and sales data (e.g. information on consent you have granted or objections you have lodged).
• In some cases, we also process legitimisation data (e.g. ID data), registration, relocation, residence data and audiovisual data (e.g. material from closed circuit televisions).

4. Purpose and legal basis of data processing

We process personal data in line with the EU General Data Protection Regulation (EU GDPR).

Within the context of GDPR, 2MC’s lawful basis for processing personal data include:

• Performance of a contract between parties
• The performance of a legal obligation
• The protection of vital interests (e.g. in a medical emergency)
• The exercise of our legitimate interests (described below)

1) In order to fulfil contractual obligations (Article 6, Paragraph 1 Letter b of the EU GDPR)

Processing is performed to fulfil our contract with you and to perform pre-contractual measures, instigated on your initiative. For example:

• Producing project proposals;
• Communicating with you and your colleagues during consulting projects;
• Evaluating your applications for certificated training programmes;
• Dispatching invoices;
• Assessing your suitability for associate placements and employment;
• Enrolling and rewarding you as an associate or employee.

Please refer to the relevant contractual documents, staff handbooks, business manuals and Terms and Conditions of Business for further details of the data processing purposes.

2) Within the context of weighing up interests (Article 6, Paragraph 1, Letter f EU GDPR)

Processing is performed to protect our legitimate interests or those of third parties unless overridden by your interests which require protection of personal data. Examples:

• The need to build and maintain sustainable and productive relationships with clients, suppliers, partners, employees and all other stakeholders;
• Managing our risks, maintaining accurate records and operating our business efficiently;
• Data processing and analysis to ensure a personalised appeal and tailored offerings;
• Data processing and analysis for the purpose of improving and developing intelligent and innovative services and products;
• Data processing and analysis for creating automated evaluations e.g. as the basis for price adjustments;
• Assertion of legal claims and defence in case of legal disputes;
• Ensuring IT security and IT operations;
• Video surveillance to exercise the right of who shall be allowed or denied access to premises and for collecting evidence in case of criminal activities;
• Processing of incoming requests from interested parties and non-customers.

3) On the basis of your consent (Article 6, Paragraph 1, Letter a of the EU GDPR)

Provided you have consented to us processing your personal data for specific purposes, processing is legal on this basis. Consent may be revoked at any time. This also applies to the revocation of declarations of consent that were granted to us before the EU GDPR came into effect, thus before 25 May 2018. Revocation of consent is only effective for the future and does not affect the legality of data processing up to the date of the revocation.

4) On the basis of legal requirements (Article 6, Paragraph 1, Letter c of the EU GDPR)

Processing may be performed in order to fulfill legal obligations.  For example:

• Communicating with national or regional governments in relation to company registrations or taxation;
• Securing or archiving data for specified purposes and periods;
• Health and safety reporting;
• Communicating with embassies, consulates or visa issuing authorities;
• Managing the employee lifecycle.

The relationship between our main operational processes and our lawful bases for processing personal data are as follows:

Project management
Purpose: Coordinating the delivery of services to clients using project methodologies
Legal bases: contract; legitimate interest

Business development
Purpose: Informing prospective clients about the services offered; issuing proposals; building sustainable client relationships
Legal basis: contract; legitimate interest

Contact management
Purpose: Maintenance of contact details, facilitating communications between employees, associates and all other stakeholders
Legal basis: contract; legal obligation; legitimate interest

Resourcing services
Purpose: Coordinating the recruitment, registration and remuneration of associates
Legal basis: contract; legal obligation; legitimate interest

Travel management
Purpose: Organising business travel for 2MC staff and associates
Legal basis: contract; vital interest; legal obligation; legitimate interest

Office administration
Purpose: Performing all activities associated with administrative support for 2MC’s businesses
Legal basis: contract; legitimate interest

External auditing
Purpose: Periodic visits from certified auditors with access to all data
Legal basis: legitimate interest

Corporate archiving
Purpose: Secure storage of business records for extended periods in offsite locations
Legal basis: contract; legal obligation; legitimate interest

Training and education services
Purpose: Managing all information pertaining to the enrolment and performance of clients and staff on training and education programmes
Legal basis: contract; legitimate interest

Financial management
Purpose: Payments to suppliers of goods and services to 2MC; billing clients for work completed
Legal basis: contract; legal obligation; legitimate interest

Accident reporting
Purpose: Administering the reporting of workplace incidents and injuries
Legal basis: vital interest; legal obligation; legitimate interest

Inspection services
Purpose: Delivery of technical inspection services to clients, including the recruitment and enrolment of inspectors
Legal basis: contract; vital interest; legal obligation; legitimate interest

IT change management
Purpose: Undertaking technical and administrative changes to IT systems in response to personnel changes
Legal basis: contract; legitimate interest

Employee HR management
Purpose: Management and administration of the employee lifecycle
Legal basis: contract; legal obligation; legitimate interest

5. Recipients of personal data

Within our organisation, departments with access to your data are those which require them to fulfil their respective duties in the organisation and to fulfil our contractual and legal obligations.

Service providers deployed by us and our TÜV Rheinland partners may also receive data. They may include:

• Other organisations of the TÜV Rheinland Group
• Post and printing service providers
• IT service providers
• Telecommunication service providers
• Payroll processors
• Sales partners
• Web service providers
• Credit agencies
• Collection agencies
• Legal advisers
• Auditors
• Insurance providers
• Pension providers
• Banks
• Suppliers of references.

In certain circumstances, personal data may also be forwarded to public departments (e.g. tax authorities, job centres), judicial and law enforcement authorities (e.g. police, district attorney’s offices, courts), attorneys, notaries and chartered accountants.

6. Transmission to third countries or international organisations

We transmit personal data to organisations outside the European Economic Area while we engage in legitimate business activities. These organisations include:

• TÜV Middle East
• International offices of clients and partner organisations
• Operational hubs of global postal and courier organisations
• Travel agents and suppliers
• Government visa and immigration services

Transmission of your personal data to the USA or Canada, should this occur, is performed in line with the relevant data protection regulations, guaranteed by Commission Implementing Decisions (EU) 2016/1250 of 12 July 2016 and 2001/4539 respectively.

7. Period of retention

We always delete your personal data when the purpose of processing expires; all mutual claims are fulfilled and no further legal retention obligations or legal basis for justifying retention exist.

As an international business operating worldwide, 2MC adopts a standard minimum retention period for data of 7 years, except where a shorter period has either been mandated in law, or where this is specified in contractual terms agreed between us and a third party.

All personal data is subject to periodic (typically annual) reviews.  It will then be maintained or erased in accordance with our obligations and legitimate interests.

8. Your data protection rights

In line with the statutory provisions, you hold the following data protection rights:

• the right to access to information about data stored by 2MC (Article 15 EU GDPR) and
• the right to correction (Article 16 EU GDPR),
• the right to erasure (Article 17 EU GDPR),
• the right to restriction of processing (Article 18 EU GDPR),
• the right to data portability (Article 20 EU GDPR),
• and the right to object (Article 21 EU GDPR)

In addition, you hold the right to lodge a complaint with the responsible supervisory authority, The UK Information Commissioner’s Office: https://ico.org.uk.

9. Obligation to provide data

As part of our business relationship (which may include employment or partnership), you must provide the personal data required to commence, perform and terminate the relationship and to fulfill the contractual obligations it entails or those data that we are required by law to collect. Without these data we will generally be unable to enter into a contract with you and to perform it.

For example:

• Contract staff or associates may be obliged to provide information required by tax authorities or for security clearance;
• Information may be required in order to take commercial flights and/or cross borders;
• Health and safety authorities require data about affected persons in accident and incident reports.

Furthermore, in both our contract forms and on our websites, it is clearly indicated when the entry of details is optional or mandatory.

10. Automated decisions in individual cases

We do not use automated decision-making processes within the meaning of Article 22 of the EU GDPR for establishing and performing business relationships.

However, in some cases we may choose to use profiling so that we can provide you with information on specific products. This means that we process your data to assess certain personal aspects, thereby enabling tailored communications.

11. Right to object

Right to object in individual cases

You are entitled to object to processing of your personal data at any time, for reasons resulting from your particular personal situation, if processing is conducted on the legal basis of Article 6, Paragraph 1, Letter e of the EU GDPR (processing in the public interest) and Article 6, Paragraph 1, Letter f of the EU GDPR (data processing based on the weighing up of interests). This also applies to profiling based on this provision.

If you lodge an objection we will stop processing your personal data, with the exception of cases in which we can prove compelling justified grounds for the necessity of processing that override your interests, rights and freedoms, or processing serves the assertion, exercising or defence of legal claims.

Right to object against processing of data for the purpose of direct advertising

In individual cases, it may be that we process your personal data for direct advertising purposes. You are entitled to object to processing of your personal data for the purpose of said advertising. This also applies to profiling in relation to said direct advertising.

Recipient of the objection

You can send your objection to us informally with the subject “Objection”, stating your name, address and date of birth.  Contact our Data Protection Representative at the address given in Section 1 above.

12. Collection of personal data during visits to our website

(1) If the website is used purely for information purposes, i.e. if you do not register or transfer information to us in any other way, we shall only gather personal data that your browser transfers to our server. If you wish to view our website, we will collect the following data, which are technically necessary for us to display our website to you and to guarantee stability and security (legal basis is Article 6, Paragraph 1, Sentence 1, lit. f of the EU GDPR):

• IP address
• Date and time of request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of request (specific page)
• Access status / HTTP status code
• Volume of data transferred each time
• Website from which the request comes
• Browser
• Operating system and its interface
• Language and version of browser software.

(2) In addition to the data stated above, cookies will also be stored on your computer when you use our website. Cookies are small text files which are stored on your hard disk and assigned to the browser used. They allow certain information to flow to the place that set the cookie (in this case by us). Cookies are not able to execute programs or to infect your computer with viruses. They are used to make the internet offering as a whole more user-friendly and effective.

(3) Use of Google Analytics

(a) This website uses Google Analytics, a web analysis service of Google Ireland Ltd. (“Google”). Google Analytics uses so-called “cookies”, text files stored on your computer that make it possible to analyse how you use the website. The information generated by the cookie about how you use this website is usually transmitted and stored on a Google server in the USA. In the event of IP anonymisation being activated on this website, your IP address will first be shortened by Google within any member state of the European Union or any other signatory state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google will use this information on behalf of the operator of this website to analyse how you use the website, to compile reports about website activities and to provide other services to the website operator associated with how the website and the internet are used.

(b) Google will not merge the IP address transmitted by your browser and registered by Google Analytics with any other data.

(c) You can prevent cookies from being stored by making a corresponding setting in your browser software. Please be aware that if you do this, you may not be able to use all functions of this website to their full extent. In addition, you can also prevent the data generated by the cookie relating to how you use the website (including your IP address) being registered and processed by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

(d) This website uses Google Analytics with the extension “_anonymizeIp()”. This processes IP addresses in a shortened form, ruling out the possibility of personal reference. In the event that there is a personal reference in the data collected, this will be ruled out immediately and the personal data deleted forthwith.

(e) We use Google Analytics to analyze how our website is used, enabling us to improve it regularly. The statistics gained allow us to improve our offering and make it more interesting for you as a user. If in exceptional cases personal data are transmitted to the USA, Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. Legal basis for the use of Google Analytics is Article 6, Paragraph 1, Sentence 1, lit. f of the EU GDPR.

(f) Information from the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of service: http://www.google.com/analytics/terms/us.html, Privacy overview: http://support.google.com/analytics/answer/6004245?hl=en, and the privacy policy: http://policies.google.com/privacy?hl=en&gl=en.

(4) Use of social media plug-ins

Addresses of the respective plug-in providers and URLs with their privacy policies:

1. a) Google Ireland Ltd., 1600 Amphitheater Parkway, Mountain View, California 94043, USA; https://policies.google.com/technologies/partner-sites?hl=en.Google is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
2. b) Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/en/privacy. Twitter is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
3. c)  LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(5) Integration of YouTube videos

(a) Our online offering includes integrated YouTube videos which are stored on http://www.YouTube.com and which can be played directly from our website. [This is all included in “advance data protection mode”, i.e. no data about you as a user are transmitted to YouTube if you don’t play the videos. Only when you play the videos will the data stated in Paragraph 2 be transmitted. We have no influence over this data transmission.]

(b) When you visit the website, YouTube receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a YouTube user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your YouTube profile, you must log off before you activate the button. YouTube will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact YouTube.

(c) Further information about the purpose and extent of data collection and how they are processed by YouTube can be found in the privacy policy. There, you will also find further information about your rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

(6) Integration of Google Maps

(a) We use the offering of Google Maps on this website. This allows us to display interactive maps directly on the website, enabling you to conveniently use the map function.

(b) When you visit the website, Google receives information that you have called up the corresponding page of our website. In addition, the data stated in Article 3 of this privacy policy will also be transmitted. This is done regardless of whether you have a Google user account which you are logged on to or whether you do not have a user account. If you are logged on to Google, your data will be assigned directly to your account. If you do not wish your data to be assigned to your Google profile, you must log off before you activate the button. Google will store your data as a usage profile and will use this for the purposes of advertising, market research and/or requirement-orientated design of its website. Such analysis is also performed with users who are not logged on, in particular to provide requirement-orientated advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of such user profiles. To exercise this right, please contact Google.

(c) Further information about the purpose and extent of data collection and how they are processed by the plug-in provider can be found in the privacy policy of the provider. There you will also find further information about your relevant rights and settings options to protect your privacy: https://policies.google.com/privacy?hl=en&gl=en. Google will also process your personal data in the USA and is subject to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.